ISO 9001 is defined as the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements.

The International Organization for Standardization (ISO) is a non-governmental organization whose role is to facilitate international coordination and the standardization of industrial standards. These standards contribute to the development, manufacturing and delivery of products and services that are more effective, safer and clearer. ISO performs systematic reviews every 3-5 years to keep these standards up-to-date.

The revision process adjusts them to changes in the environment with the aim at improving organization’s ability to offer products and services that meet customer’s requirements. ISO has revised world’s leading Quality Management System (QMS), ISO 9001:2008 to ISO 9001:2015.

Quality management system is defined as a set of interrelated or interacting ele- ments to establish policies, objectives, and processes to achieve those objec- tives with regard to quality.

QMS is part of the overall management system, based on a business risk ap- proach, to establish, implement, operate, monitor, review, maintain and improve quality.

ISO 9001:2015 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system used to manage quality. The requirements set in ISO 9001:2015 are generic, flexible and useful to all types of organizations. Thus, this ISO Management System Standard can be aligned and integrated with other Management Systems such as Energy Management, Business Continuity Management and other management systems, due to their similar structure.

• Greater emphasis on process approach, risk management, monitoring performance and metrics;
• Better focus on interested parties;
• More careful analysis of the context of the organization needed for ensuring quality improvement;

1. establish, implement, maintain and improve a QMS;
2. assure conformity with the organization’s stated quality policy;
3. demonstrate conformity to others;
4. seek certification/registration of its QMS by an accredited third party certification body; or
5. make a self-determination and self-declaration of conformity with this International Standard.

ISO 9001:2015 is the first quality management standard to be fully compliant with the new guidelines from Annex SL (“High level structure and identical text for management system standards and common core management system terms and definitions”). It has been developed in response to standards users’ critics that, while current standards have many common components, they are not sufficiently aligned, making it difficult for organizations to rationalize their systems and to interface and integrate them. This means that ISO 9001 is integrated to the high-level structure and common text that will make it totally aligned with all other management systems once the related standards have also adopted the Annex SL guidelines.

Following the new structure of the Annex SL, ISO 9001 is organized into the following main clauses:

Clause 1: Scope
Clause 2: Normative references
Clause 3: Terms and definitions
Clause 4: Context of the organization
Clause 5: Leadership
Clause 6: Planning for the quality management system
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation Clause
10: Improvement

Each of these key areas is listed and described below.

Clause 4: Context of the organization

The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its QMS such as:

• issues arising from technological, competitive, market, culture, social, and economic environments;
• issues related to values, culture, knowledge and performance of the organization;
• the identified needs and expectations of relevant interested parties;
• applicable legal, regulatory and other requirements to which the organization subscribes.

Defining the scope of the QMS, taking into account the organization’s strategic objectives, key products and services, risk tolerance, and any regulatory, contractual or stakeholder obligations is also part of this clause.

Clause 5: Leadership

Top management shall demonstrate leadership and commitment with respect to the quality management system by:

• Taking accountability of the effectiveness of the quality management system;
• Ensuring that the quality policy and quality objectives are compatible with the strategic direction and the context of the organization;
• Ensuring that the quality policy is communicated, understood and applied within the organization;
• Ensuring the integration of the QMS requirements into the organization’s business processes;
• Promoting awareness of the process approach;
• Ensuring that the resources needed for the QMS are available;
• Ensuring that the QMS achieves its intended results;
• Engaging, directing, and supporting persons to contribute to the effectiveness of the QMS;
• Promoting continual improvement;
• Ensuring that customer requirement and applicable statutory and regulatory requirements are deter- mined and met;
• Ensuring that the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addresses;
• Establishing, reviewing and maintaining the quality policy;
• Ensuring that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization.

Clause 6: Planning for the quality management system 

This is a critical stage as it relates to establishing strategic objectives and guiding principles for the QMS as a whole. The intent of the organization to treat the risks identified and/or to comply with the QMS requirements can be expressed through the QMS objectives. The quality objectives shall:

• be consistent with the quality policy;
• be measurable;
• take into account applicable requirements;
• be relevant to conformity of products and services and the enhancement of customer satisfaction;
• be monitored, communicated and updated as appropriate.

An organization wishing to comply with ISO 9001 shall at least:

• Select and define a risk assessment methodology.
• Demonstrate that the selected methodology will provide comparable and reproducible results
• Define criteria for accepting risks and identify acceptable levels of risk.

Clause 7: Support 

The day-to-day management of an effective quality management system relies heavily on using the appropriate resources for each task. These include having competent staff with relevant (and demonstrable) training and supporting services, awareness and communication. This must be supported by properly managed documented information.

Both internal and external communications of the organization must be considered in this area, including the format, the content and the proper timing of such communications.

The requirements on the creation, update and control of documented information are also specified in this clause.

Clause 8: Operation 

After planning the QMS, an organization must put it into operation. This clause includes:

Operational planning and control: This activity includes implementation of plans and processes that lead the organization towards meeting the quality management system requirements. Additionally, this clause requires from organizations that they establish controls which help in preventing any deviation from the quality policy, objectives, and legal requirements.

After the requirements have been established, the organization should control the planned changes and review the unintended changes to mitigate any adverse effect. All the processes within the organization, including outsourced processes should be controlled.

Determination of requirements for products and services: The organization shall determine all the requirements related to products and services, such as customer requirements, organizational, statutory and regulatory, and ISO 9001:2015 requirements. The organization shall establish an effective customer communication process. After all the requirements have been determined, they must be reviewed to ensure contract or order requirements differing from those previously defined are resolved.

Design and development of products and services: This activity requires that organizations establish, implement and maintain a design and development process.

Control of externally provided products and services: The organization shall ensure that externally provided processes, procedures, and services conform to specified requirements. This clause applies to both physical products and consumed services related to the end product of the organization. An organization will need to apply a risk-based approach and determine the type and extent of controls necessary.

Production and service provision: Businesses should control delivery and post-delivery activities to ensure that the product and service provision is implemented under controlled conditions. This requirement expects from organizations to have traceability mechanism to identify process outputs, protect and safeguard the property belonging to customers or external providers, and to preserve the products and services.

Release of products and services: Organization should verify conformance to acceptance criteria when re-leasing the products and services. Acceptance criteria is the criteria set by the organization specifying certain indicators or measures employed in assessing the ability of a component, structure, or system to perform its intended function. Setting the criteria before initiating the project makes its development much easier. Each organization should define its own criteria in order to ensure a higher level of customer satisfaction.

Control of nonconforming process outputs, products and services: This activity involves identification of control of products and services to ensure that they comply with the stated requirements. Nonconforming processes, products and services have to be corrected, segregated, or returned. Additionally, the standard requires that organization inform the customers for the nonconforming products to prevent customer dissatisfaction.

Clause 9: Performance Evaluation 

Once the QMS is implemented, ISO 9001 requires permanent monitoring of the system as well as periodic reviews to:

• demonstrate conformity of products and services to requirements;
• assess and enhance customer satisfaction;
• ensure conformity and effectiveness of the quality management system;
• demonstrate that planning has been successfully implemented;
• assess the performance of processes;
• assess the performance of external providers
• determine the need or opportunities for improvements within the quality management system.

Clause 10: Improvement

Continual improvement can be defined as all the actions taken throughout the organization to increase effectiveness (reaching objectives) and efficiency (an optimal cost/benefit ratio) of processes and controls to bring increased benefits to the organization and its stakeholders. An organization can continually improve the effectiveness of its management system through the use of the quality policy, objectives,  and audit results, analysis of monitored events, indicators, risk analysis, corrective actions and management review.

Risk based approach

By undertaking risk-based approach, any organization can become more proactive rather than only reactive to changes in the context in which it evolves. It can thus better prevent or reduce undesired effects and can then better promote continual improvement. Preventive action becomes rather ‘automatic’ when a management system is risk-based.

In this meaning, risk-based approach is one of the major changes in the new version of ISO 9001. The 9001:2015 has replaced the ‘preventive action’ concept with a set of requirements on managing risk. Some risk analysis was implicit in the old version of the standard through preventive action analysis, but the new version makes risk more explicit by incorporating it throughout the quality management system.

The risk-based approach came as a result of the incorporation of Annex SL into ISO 9001:2015. It plays an important part in the new version of the standard, and it has clear clauses to determine risks and take actions. Even though the concept of ‘risk’ is new in ISO 9001:2015, many organizations already have an approach in place to manage risk. They have to align it with ISO 9001:2015 requirements and show that the requirements are met.

Risk can be found in the following clauses of ISO 9001:

• Clause 4 (Context of the organization) – the organization is required to determine the risks which may affect the quality management system.
• Clause 5 (Leadership) – top management is required to ensure that requirements from clause 4 are followed.
• Clause 6 (Planning for the quality management system) – the organization is required to take actions towards risk and opportunity identification.
• Clause 8 (Operation) – the organization is required to implement processes to address risks and opportunities.
• Clause 9 (Performance evaluation) – the organization is required to monitor, measure, analyses and evaluate the risks and opportunities.
• Clause 10 (Improvement) – the organization is required to continually improve its processes while responding to changes in risk.

Various standards such as ISO 9004 and ISO 9000 are used to complement ISO 9001:2015. ISO 9004 provides guidance to organizations to support the achievement of sustained success by a quality management approach. ISO 9004 standard provides additional guidelines on customer focus, defect prevention, cost control, process approach, documentation, purchasing, informed decision-making, training and employee motivation. In addition, ISO 9000 discusses definitions and terminology and is used to clarify the concepts used by the ISO 9001 and ISO 9004 standards.

Other standards that are closely linked to ISO 9001:2015 are sector specific standards. These standards are meant to complement quality management system in defining best practice within certain sectors, and tackle the issues which ISO 9001 does not cover. Sector specific quality management standards include ISO 16949 (automotive industry), AS 9100 (aerospace industry), TL 9000 (telecommunications industry), ISO 13485 (medical devices), ISO 29001 (oil and gas industry), and so on.

Integration with other management systems

General requirements presented in the table below are commonly stated in any management system and relate to determining objectives, applying them according to the organization’s habits and needs, keeping them alive based on a strong management commitment, monitoring and reviewing, supporting the management system by good documentation, regular ‘health-checks’ via internal or external audits and to gain benefits through continual improvement as achieved by a regular management review.

The table below shows how a QMS can be considered jointly with other management systems. This will authorize the organization to envision “combined audits” in order to achieve their compliance goals with adequate effort and budget.

As with all major undertakings within an organization, it is essential to gain the support and sponsorship of executive management. By far, the best way to achieve this is to illustrate the positive gains of having an effective quality management process in place, rather than highlighting the negative aspects of the contrary.

Today, an effective quality management is not about being forced into taking action to address external pressures, but its importance relies on recognizing the positive value of quality good practice being embedded throughout your organization.

The adoption of an effective quality management process within an organization will have benefits in a number of areas, examples of which include:

1. Improved organizational effectiveness and efficiency;
2. Improved understanding of the business as gained through risk identification and analysis
3. Operational resilience which results from implementing risk reduction
4. Downtime reduction due to the identification of alternative processes and workarounds
5. Protection of stakeholder value
6. Increase customer and employee satisfaction;
7. Increased market share and profit;
8. Improved organizational culture;
9. Enhanced continuous improvement;
10. Process improvement; and
11. Avoidance of liability actions.

ISO 9001:2015 is based on seven quality management principles that can be used by top management to lead the organization towards improved performance.

• Customer focus: Organizations depend on their customers and therefore should understand current and future customer needs, meet customer requirements and strive to exceed customer expectations.
• Leadership: Leaders establish the unity of purpose and direction of the organization. They should create and maintain the internal environment in which people can become fully involved in achieving the organization’s objectives.
• Engagement of People: People at all levels are the essence of an organization and their full involvement enables their abilities to be used for the organization’s benefit.
• Process approach: A desired result is achieved more efficiently when activities and related resourceare managed as a process
• Improvement: Improvement of the organization’s overall performance should be a permanent objective of the organization.
• Evidence-based Decision Making: Effective decisions are based on the analysis of data and information.
• Relationship Management: An organization and its interested parties are inter-dependent and a mutually beneficial relationship enhances their ability to create value.

Making the decision to implement a Quality Management System based on ISO 9001 may often be a simple one, as the benefits are well documented. It is important to follow a structured and effective methodology to cover all the minimum requirements for the implementation of a quality management system. Most companies now realize that it is not sufficient to implement a generic, “one size fits all” quality management program. For an effective implementation methodology, organizations need to take into account specific risks that would impact the quality performance. A more difficult task is the compilation of an implementation plan that balances the requirements of the standard, the business needs and the deadline to become certified.

There is no single blueprint for implementing ISO 9001 that will work for every company, but there are some common steps that will allow the organization to balance the often conflicting requirements and prepare for a successful certification audit. Whatever methodology used, the organization must adapt it to its particular context (requirements, size of the organization, scope, objectives, and so on).

Kwalitea Konsultants has developed a methodology for implementing a management system. It is called “Integrated Implementation Methodology for Management Systems and Standards (IMS2)” and is based on applicable best practices. This methodology is based on the guidelines of ISO standards and also meets the requirements of ISO 9001.

IMS2 is based on the PDCA cycle divided into four phases: Plan, Do, Check and Act. Each phase has be- tween 2 and 8 steps for a total of 20 steps. In turn, these steps are divided into 101 activities and tasks. This ‘Practical Guide’ considers the key phases in the implementation project from start to finish and suggests the appropriate ‘best practice’ for each one, while directing the organization to further helpful resources as it embarks on its ISO 9001 journey.

By following a structured and effective methodology, an organization can be sure it covers all minimum requirements for the implementation of a management system. As mentioned above, whatever methodology used, the organization must adapt it to its particular context, and not apply it like a cookbook. The key to implementation lies in a contextualized and adaptable approach by the organization, which will ensure a robust outcome.

The sequence of steps required in this process may be changed (inversion, merge), to meet the most suit- able outcome. For example, the implementation of the management procedure for documented information can be done before the understanding of the organization. Many processes are iterative because of the need for progressive development throughout the implementation project; for example, communication and training.

Certification of organizations

The usual path for an organization that wishes to be certified against ISO 9001 is the following:

1. Implementation of the management system:Before being audited, a management system must be in operation for some time. Usually, the minimum time required by the certification bodies is 3 months.

2. Internal audit and review by top management:Before a management system can be certified, it must have had at least one internal audit report and one management review.

3. Selection of the certification body (registrar):Each organization can select the certification body (registrar) of its choice.

4.Pre-assessment audit (optional): An organization can choose to perform a pre-audit to identify any possible gap between its current management system and the requirements of the standard.

5. Stage 1 audit:A conformity review of the design of the management system. The main objective is to verify that the management system is designed to meet the requirements of the standard(s) and the objectives of the organization. It is recommended that at least some portion of the Stage 1 audit should be performed on-site at the organization’s premises.

6. Stage 2 audits (On-site visit):The Stage 2 audit objective is to evaluate whether the declared management system conforms to all requirements of the standard is actually being implemented in the organization and can support the organization in achieving its objectives. Stage 2 takes place at the site(s) of the organization’s sites(s) where the management system is implemented.

7. Follow-up audit (optional):If the auditee has non-conformities that require additional audit before being certified, the auditor will perform a follow-up visit to validate only the action plans linked to the non- conformities (usually one day).

8.Confirmation of registration: If the organization is compliant with the conditions of the standard, the Registrar confirms the registration and publishes the certificate.

9. Continual improvement and surveillance audits:Once an organization is registered, surveillance activities are conducted by the Certification Body to ensure that the management system still complies with the standard. The surveillance activities must include on-site visits (at least 1 per year) that allow verifying the conformity of the certified client’s management system and can also include: investigations following a complaint, review of a website, a written request for follow-up, etc.